> On Aug 3, 2017, at 12:26, Kathleen Wilson via dev-security-policy > <[email protected]> wrote: > > All, > > I have conflicting opinions about this situation: > > On the one hand, I want to see better behavior, and am inclinded to add these > two intermediate certs to OneCRL, and tell StartCom and Certinomis to start > over and do things right. > > On the other hand, I'm not convinced yet that the issued non-BR-compliant > certs are any worse than we've seen from other CAs for whom we tell them to > fix the problem but do not add their relevant intermediate certs to OneCRL. > > Kathleen
Even absent the BR-violating certificates and disclosure timeline, I believe this cross-sign is problematic because it appears to circumvent the prerequisites and process described in https://bugzilla.mozilla.org/show_bug.cgi?id=1311832 for StartCom’s application for re-inclusion into the Mozilla root store. It’s not clear to me what the point of those requirements is if they can be avoided by obtaining cross-signatures from other CAs that are currently trusted by Mozilla. As far as the misissued certificates are concerned, here are a couple points to consider: 1) Many of the certificates are improperly validated “test” certificates, a practice that is extremely problematic and indicates a lack of or circumvention of technical controls. 2) StartCom's systems are apparently new, but they have failed to correctly implement simple aspects of the certificate profile such as keyUsage bits and character encodings. These issues are trivially detected by running tools like certlint and should have been caught well before the system made it into production. Jonathan _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
